Less of a cyber security threat and closer to a scam, vishing refers to attempts to steal information or money over the phone by convincing the victim. These calls often use personal data acquired through previous cyber attacks to gain their victim’s trust.
This type of threat is definitely on the rise. Like many other hacks and scams, vishing is a popular attack type because it is simple to carry out, scales well and is often successful. It also requires very low technological investment and requires virtually no real coding knowledge beyond basic information that can be found online.
According to a recent Truecaller survey, 26% of Americans lost money due to a phone scam in 2022. This number shows that this type of attack is on the rise and that people are largely undereducated about them.
The most common type of vishing is impersonating an authority figure such as a government official, client, or coworker. The scammer’s goal is to obtain sensitive information such as a social security number. Still, these calls can become global threats if the victim is convinced to provide something with wider ramifications, such as a computer password.
In rare cases, the scammers will attempt to convince the employee to wire money or pay for a fake invoice to steal the company’s funds. No matter the goal or method used by the scammer, the only way to foil these attacks is through proper user awareness programs.
This article will look at seven common examples of vishing and explain them thoroughly so your users don’t fall into the trap.
1. AI-Based Vishing
AI is starting to become a tool to carry out wicked agendas, and we’re seeing it play out in social engineering scams like Vishing. AI works by detecting patterns and producing iterations of them without the need for constant human input—which means that it can automatically deploy processes once it has detected a pattern in its algorithm.
There is AI software now that can mimic a person’s voice, easily fooling employees into thinking that they’re speaking to their superiors or managers. In fact, in 2021, a large-scale cyber attack was carried out through voice cloning.
The attacker used AI to mimic the company director’s voice, convincing a bank manager through a phone call to transfer $35 million as part of the bank’s acquisition process.
This incident is one of the firsts that directly links AI to cyber threats, using deep voice technology to clone an executive’s speech, voice, and melodies to carry out a cyber attack. With voice patterns readily available from social media, YouTube, interview recordings, etc., AI poses a significant threat to all organizations.
2. Robocall
These attacks feed a prerecorded call to every phone number in a specific area code through computer software. The automated voice asks the victim to state their name and other information. The answers are recorded and used to steal money or open fraudulent credit cards.
Thankfully, these calls are becoming so common that most people know them and hang up when they receive them. Another telltale sign of these attacks is international or blocked numbers since the scammers have to cycle numbers to keep authorities off their trail regularly.
3. VoIP
While VoIP is a great technology that has allowed fantastic business innovations, scammers can easily create fake numbers to carry out attacks. This technique can be combined with a robocall but is often carried out by human callers.
The best way to thwart these calls is by asking for more information to be sent via email, where attacks are easier to detect, or by asking to carry out the rest of the call in person since the attacker won’t be able to do it.
4. Caller ID Spoofing
This attack can be especially pernicious because it uses software to fake a legitimate caller ID. Scammers will usually try to pass for an institution such as a tax agency, police department, or hospital to create urgency and get the victim to surrender information they usually wouldn’t.
These attacks are hard to spot, and the best way to evade them is the same as with VoIP by taking the call to another medium. Certain phones and physical security measures can detect these fake caller IDs and automatically reject them.
5. Dumpster Diving
As the name says, these attacks are carried out using information gathered through a business’ trash. Official company documents often contain enough personal data to launch a successful vishing attack.
The best way to counter dumpster diving is simple. Every company should shred all sensitive company documents before throwing them out. Whether using an external company or buying shredders for the office, it’s a worthwhile investment considering the potential risks.
6. Tech Support Call
This attack is widespread in large companies where employees might not know or have met members of the tech support department. Scammers will pretend they need to do a computer update or repair and ask for the victim’s password to do it.
Education is key to beating these attacks. Frequently remind users that you will never ask them to divulge their password over the phone and that they shouldn’t do so under any circumstance.
7. Voicemail Scam
This attack is different and involves voice mail notifications. Many smartphones and apps send emails to their users to notify them of stored voicemails. These emails will contain a link to listen to a voicemail. These fraudulent emails will lead users to a website that downloads malware onto their devices.
This scam can be evaded by ensuring users are adequately trained to notice phishing emails. These emails often have spelling mistakes and improperly sized logos and aren’t sent from official domain names.
8. Client Call
Often done by finding old invoices via dumpster diving, scammers perpetrating these attacks will pretend to be your company’s client and ask for an invoice to be paid. They’ll rely on a sense of urgency to convince the victim to wire funds and steal company money.
This scam is an excellent example of why every company should have a two-person approval for any invoice payment or wires. That way, another person not involved in the attack has to review the process and can detect fraudulent attempts.
Education Is Key
Vishing is definitely on the rise. The best way to counter this scam is by ensuring your users know they exist so they can recognize them. Vishing simulations are just as simple as phishing simulations and should be a core part of your cyber security awareness training campaigns.
The best way to see if your organization is at risk will always be to run some tests and adjust your defenses accordingly. Hackers will always rely on mundane situations and scenarios that make people let their guard down.
Reminding users of how these situations unfold and the telltale signs to look for is the most effective course of action to prevent vishing attacks. Once people are well trained in this regard, the steps to avert vishing attacks are simple and have a high success rate.
These attacks are the same whether they target a person or an entire business. Training your staff about vishing protects their whole life, at the office and at home.
Source: Terranova